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Abstract 

We explain how a differential fault analysis (DFA) works on AES 128, 192 or 256 bits. 
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1 Introduction 

In September 1996, Boneh, Demillo, and Lipton 0] from Bellcore announced a new type of cryptanalytic 
attack which exploits computational errors to find cryptographic keys. Their attack is applicable to public key 
cryptosystems such as RSA, excluding secret key algorithms. In E. Biham & A.Shamir extend this attack 
to various secret key cryptosystems such as DES, and call it Differential Fault Analysis (DFA). They applied 
the differential cryptanalysis to Data Encryption Standard (DES) in case of hardware fault model. 

We further assume that the attacker is in physical possession of the tamperproof-device, so that he can repeat 
the experiment with the same cleartext and key but without applying the external physical effects. As a result, 
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he obtains two ciphertexts derived from the same (unknown) cleartext and key, where one of the ciphertexts is 
correct and the other is the resuh of a computation corrupted by a single error during the computation. 

The DES used a 56-bits key which seems to be too short for future. Hence a mondial competition between 
secret key cryptosystems has been realized. The requirements of this standard is to replace DES standard: a 
symmetric cryptosystem with 128 to 256 key sizes, which can be easily implemented in hardware. On Oct. 2, 
2000, NIST choose Rijndael to be the Advanced Encryption Standard (AES). AES uses a 128, 192 or 256 bits 
key with a 128 bits input message. It works on bytes with an algebraic structure which is the finite field GF(2®). 
Rijndael has been choosed by NIST for its resistance to linear and differential cryptanalysis 

The major critique of DFA was the practical feasibility of the theory. But some authors |2] have designed 
practical experimentations of this kind of attack with the possibility to inject the fault in a temporal windows 
which can be clearly related with program running process. By exposing a sealed tamperproof device such as 
a smartcard to certain physical effects (e.g., ionizing or microwave radiation), one can induce with reasonable 
probability a fault at a short random bit location in one of the registers at some intermediate stage in the 
cryptographic computation. In practice, the perturbation can change more than one bit. We assume that it 
can change up to one byte anywhere between the last two MixColumn operations of AES. 

For DFA on DES, the attacker knows the differential input and output of the touched SBox. For AES, 
contrary to DES, we don't have the value of the differential fault e which could be obtained by considering 
the left part of the final DES state at round 16. For AES, if we consider a single fault before the SubBytes 
transformation, we can't go back to the key (There are 127 possibilities of the injected fault and 256 possibilities 
of a single byte of the round key, so the AES is protected against classical differential analysis.). 

When the injected fault is becoming several induced faults (at least two) occuring in different bytes of the 
state, we can intersect each set of possible induced faults (the cardinal of intersection is lower than 63) and so 
we find a set of possible values (at most 128) for several bytes of the last subkey. 

Further we find the last subkey with enough pairs of correct cipher/fault cipher. Once known this subkey 
is, we can find easily the key. For the sake of simplicity, we first assume that the first byte of the state before 
the MixColumn transformation of the nine round is replaced by a unknown value. The induced fault is going 
to be propagated by the MixColumn and spread over four bytes of the state. There is a linear relation between 
the four induced faults. For each byte is possible to find a set of possible value of induced fault, and then a set 
of possible values for the roundkey 10. 

In this paper, we show that AES is sensitive to Fault Analysis. We have implemented this attack on a 
personal computer. Our analysis program found the full AES-128 key by analysing less than 50 ciphertexts. 

2 The description of the AES 

In this article, we use a description slightly different from the original AES submission FIPS PUB 197 Q]. We 
describe AES using matrix on GF{2^) but we try to keep the notations of 

The AES is a block cipher with block length to 128 bits, and support key lengths Nk of 128, 192 or 256 bits. 
The AES is a key-iterated block cipher : it consists of the repeated application of a roimd transformation on 
the state. The number of rounds is denoted Nr and depends on the key length (Nr = 10 for 128 bits, Nr = 12 
for 192 bits and Nr = 14 for 256 bits). 

The AES transforms a state, noted S € M4{GF{2^)) , (i.e. S" is a matrix 4x4 with its coefficients in 
GF{2^)) to another state in M4{GF{2^)). The key K is expanded into iV^ + 1 subkeys noted Ki e M4{GF{2^)) 
(i = 0,l,...,iV,). 

A round of an encryption with AES is composed of four main operations : 

1. AddRoundKey 

2. MixColumn 

3. SubBytes 

4. ShiftRows 

2.1 Representation chosen for GF{2^) 

The representation chosen in pP of GF{2^) is GF{2)[X]/ < m >, where < m > is the ideal generated by the 
irreducible polynomial G GF{2)[X], m ^ + x"^ + + x + 1. 
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2.2 Notations used in this article 

We use four notations for representing an element in GF{2^), which are equivalent to one another: 

1. x'' + + x*^ + , the polynomial notation 

2. {11010100}(„ the binary notation 

3. 'D4', the hexadecimal notation 

4. 212, the decimal notation 



2.3 AddRoundKey for i round 

The AddRoundKey transformation consists of an addition of matrix in A/4(GF(2^)) between the state and the 
subkey of the i*'* round. We denote by Si, a the state after the i*'' AddRoundKey. 



M4(GF(28)) 
5* 



Mi{GF{2^)) 
Si A = S + Ki 



2.4 SubByte for i round 

The SubByte transformation consists in applying on each element of the matrix S an elementary transformation 
s. We denote by Si^su the state after the i*'' SubByte. 



S 



Mi{GF{2^)) 
( S\l] S\b\ 5[9] ^[13] \ 
S\2] 5[6] S[IQ\ S[U] 
5[3] 5[7] S'[ll] S[l^] 
\ 5[4] 5[8] S'[12] S[l&\ I 



Mi{GF{2^)) 

( <S\\\) 
s{S{2\) 



S, 



s{S{h\) 
s{S\%\) 



s{S\% s(^[13]) \ 
s(5[10]) s(5[14]) 



.(^[3]) 



s{S{l\) s(5[15]) 
s(5[8]) s(5[12]) s(5[16]) / 



where s is the non linear application defined by 

GF{2^) — y GF(2^) 



a* X 



if a; 7^ 0, 
if a; = 0. 



a is a linear invertible application over GF{2), a g Ms{GF{2)), * is the multiplication of matrices over GF{2) 
and x^-^ ~ {6o6i...&7}b is seen as a Gi^(2)-vector equal to tranpose of the vector (6o, ■ ■ ■ , 67). The value of 6 = 
'63'G GF{2^) and 

/ 1 1 1 1 1 \ 
11000111 
1 1 1 1 1 
11110001 
111110 
01111100 
111110 

\ 1 1 1 1 1 y 



2.5 MixColumn for i round 

The MixColumn transformation consists of a multiplication of matrices in M4(GF(2*)), between the state and 
a fixed matrix Aq of M4(GF(2*)). We denote by Si^M the state after the i*'* MixColumn. 

A/4(Gi^(28)) — > AU{GF{2^)) 
S I — > Si^Af = ^o-'S', 

where Aq is defined by 



Ao^ 
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03 


01 


01 


\ 


01 


02 


03 


01 


01 


01 
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03 
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01 


01 


02 
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2.6 ShiftRows for i^'^ round 



The ShiftRows transformation is a byte transposition that cychcally shifts the rows of the state over different 
offsets. We denote by Si,sh the state after the i*'* ShiftRows. 



S 



( S{\\ 
5[2] 
5[3] 
V 5[4] 



5[5] 
5[6] 
5[7] 
5 [81 



5[9] 5[13] \ 
5[10] S'[14] 
5[15] 
5[12] 5[16] ) 



( S[l] 
5[6] 



Sh 



s[n] 
sm 



sm 

5[4] 



5[9] sm] 

sm] s[2\ 

5[3] S[7] 

5[8] sm] 



3 The description of the attack on computation of AES 

First, we are going describe an attack on AES in a simple case and after that we wiU see how we can generahze 
this attack. The goal of the attack is to recover the key Kmt- Once we discover the subkey K^r, it is easy to 
get the key A', see appendix 1X1 



3.1 Principle of the attack 

We suppose that we can change a single byte of the state after the ShiftRow of the iV^ — 1 round and we know 
the index of the faulty element of state (this last supposition can be omitted, it is more easier to explain the 
mechanism). The new value of the element of the state is supposed unknown. The fault e is spread over four 
bytes on the output state. For each modified elements on the output state, we find a set of possible fault e. 
Moreover we can intersect the possible values e for these four sets, we obtain a small set thus reducing the 
number of required ciphertext for the full analysis. Finally for each fault, we deduce some possible values of 
four elements of the last roundkcy. Repeating ciphertexts, wc find four bytes of roundkey 10. 

This attack still works out, even with more general assumptions on the fault locations, such as faults without 
knowing the fault locations before the 9*'' MixColumn transformation. Wc also expect that faults in round 8 
(before the 8*'' MixColumn transformation) might be useful for the analysis, thus growing the number of required 
ciphertext for the full analysis. With our example, we need ten ciphertexts to get four bytes of roundkey 10, 
when we don't make hypothesis about the fault locations. 



3.2 Example 

Wc use the same example as Appendix B of |T]. The following diagram shows the values in the final States 
array as the Cipher progresses for a block length and a Cipher Key length of 16 bytes each (i.e., Nb = 4 and 
Nk 4). 

Input= '32 43 F6 A8 88 5A 30 8D 31 31 98 A2 EO 37 07 34' 
Cipher Key= '2B 7E 15 16 28 AE D2 A6 AB F7 15 88 09 CF 4F 3C' 
Output= '39 25 84 ID 02 DC 09 FB DC 11 85 97 19 6A OB 32' 

The fault propagation appears in grey tint and in hexadecimal notation: 



After ShiftRows 9 Fault injected IE After Mixcolumn Ka 
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4D 


97 


6E 


4C 


90 


EC 


46 


E7 


4A 


C3 


A6 


8C 


D8 


95 



99 F2 4D 97 7B 40 A3 4C AC 19 28 57 

6E 4C 90 EC 29 D4 70 9F © 77 FA Dl 5C 

46 E7 4A C3 8A E4 3A 42 66 DC 29 00 

A6 8C D8 95 " CF " A5 A6 BC F3 21 41 6E 



After AddRoundKey 9 After SubBytcs 10 
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07 


7D 


2C 


3C 


84 


E7 


D2 




EB 


5F 


94 


B5 



After ShiftRows 10 value of K-^q 

OE I CB I 3D I AF I I DO I C9 I El I B6 

"31~ 32 ~2E~ 58 ® 14 EE ~3F 63" 

7D 2C CE 07 F9 25 OC OC 

B5 "EB 5F 94 A8 89 C8 A6 
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Output with Faults 



DE 


02 


DC 


19 
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DC 
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09 
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OB 


ID 


62 


97 


32 



The injected error in the state, give four errors in the final state. 



3.3 How the injected error acts on the final state 



Wc denote by F the faulty state. Now wc describe each step from the iV^ — 1*'' MixColumn to the end, and 
assume that we replace the first element of the state by an unknown value. Let e e GF{2^) — {0} defined by 

3.3.1 Fault modification 

Obviously 



F, 



Nr-l,Sh 



S 



Nr-l,Sh 





e 
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3.3.2 Effect on MixColumn 
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3.3.3 EfTect on AddRoundKey 



F, 



/ 2.£ \ 

£ 

£ 

V 3.£ y 



3.3.4 Effect on last SubBytes 

We can define Eq, Ei, £2, £3 (the differential faults) by the following equation 
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3.3.5 Effect after last ShiftRows 
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3.3.6 Effect after last AddRoundKey 
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FNr,A is the faulty output for a cipher. Comparing the states Fn^^a with SNr,A, it is easy to get the values of 
£0, £1, £2 and £3. 
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3.4 Example 

Always, in hexadecimal notation, we find 



Output w 


ith faults 




Output wi 


;hout fau 
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00 


00 



The differential fauhs are ef, = 'E7', e\ = '51', = '47' and e'^ = '99'. 



3.5 Analysis on information brought by fault 

The only operation that could bring information about the key Kj^^ is the last SubBytes transformation. 
Consequently we have four equations where a;o, ii, a;2, 2:3, e are unknown variables. We want to solve the 
following equations (in Xi and e) : 

s{xo + 2.e) = s{xo) + eQ 
s{xi + e) ~ s{xi) + e'l 
s{x2 + e) = s{x2) + e'2 
5(2:3+ 3. e) = 5(2:3) + £3 

All these equations belong to a generalized equation 

s{x + c.e) + s{x) = e', (1) 
where c ='01', '02' or '03' and let us analyse it. 
Definition 1 We define the set of solutions of 0) in e by 

Sc,e' = {e e GF{2^) : 3x e GF{2^), s{x + c.e) + s{x) = e'} . 
Definition 2 Consider the linear application over GF(2): 

I : GF{2^) — > GF{2^) 

X I > .T^ + X 

Denote by Ei = Im{l) be the GF(2)-vector space image of I and dimQF(2){Ei) = 7. If £ Ei, then there 
are two solutions xi, X2 G GF(2^) of equation x'^ + x = 0, and the solutions verify 2:2 = a;i + 1. 

Definition 3 Let X £ GF{2^), A 7^ and define (f>\ an isomorphism of GF {2) -vector spaces 

(t>x ■■ GF{2^) — > GF(2«) 
X I — > X.x 

and let E\ — Im[(l)\\Ei) be the GF[2)-vector space image of restricted to Ei. Moreover dimQp(^2){E\) = 7. 

Proposition 1 There is a bijective application 4> between El[~ Ei — {0}) and Sc,e'- 

0: El —> Sc,e' 

t ^ (c(a-i *£')■*)"'• 

Sc,e' have 127 elements. 

Proof : Let e £ Sc,e', then 3x e GF{2^) such that ((TJ holds. 
Assume 2: 7^ and 2' ^ c.e, we get 

2:^ + c.e.x = {a~^ * e')~^ .c.e. 
We denote by t = x.{c.ey^ E GF{2^) - {0}, then we have 

t^+t = {a-^ * e')-\ic.e)-\ (2) 

Therefore (a^^ * e')"^(c.e)^^ e E^. Reciprocally for 6 £ El we can define (a~^ * e')'^ .[c.9)^^ e Sc.e'- 
Assume a; = or 2: = c.e, becomes a * (c.e)^^ = e' . We obtain e = ((a^^ * e').c)^^, this case is included in 
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the previous case because 1 E Ef. We see for the case 0=1, the equation |^ has four sohitions in x. In brief, 
there exists a bijcction map between and See'- 



El ^ Ex-m See' 

t I — > X.t I — > {X.t)-\ 

where A = c{a~^ * e'). 

□ 

Proposition 2 The following statements hold for Ai, A2 G GF{2^) — {0}; 

Proof : This proof comes from the foUowing lemma : □ 
Lemma 1 For Ai, A2 £ GF[2^) - {0}, we get 

E\i = E\.^ Ai = A2. 
Proof : This lemma is equivalent to this assertion : for A G GF{2^) — {0}, 

Ex = El A = 1. 

Let us prove this statement and assume that XEi = Ei. Remark that Ei = {e = {eyeg • • -eolt, G GF{2^) — 
{0} : 67 = 65}. Hence {l,x,x'^,x^,x'^,x^,x^ + x^} is a basis of Ei. Multiply the basis's vectors Vi with 
A = {A7 • ■ • Ao}t. As Xvi £ El, we have {Xvi)r = {Xvi)^. We obtain 7 relations (A7 = A5, Xq = A4, A5 = A3 + A7, 
A4 = Ae + A2 + A7, A7 + A3 = A5 + Ai + Ae, A5 + Ai = A3 + A4, Ag + A5 = A7 + A3). We solve this system to 
obtain A7 = Ae = A5 = A4 = A3 = A2 = Ai = 0. The solution A = doesn't match. We have A = 1. □ 

Proposition 3 For Ai, A2, A3 G GF{2^) ~ {0}, we get: 

( 7 //Ai =A2-A3_ 
dimGFi2){Ex, n Ex,_ n Ex.J = I 6 If rankGF(2){K^ . >^2\ >^3^} ^ 

[ 5 Otherwise 

Proof: It comes from proposition [5| and this following lemma □ 
Lemma 2 For Ai, A2,A3 G GF{2^) - {0}, we get 

Ex, n Ex, = Ex, n Ex, ^ A^i = X^^ + A^^ or Xi = A2. 

Proof: 



1. ^ 

Let X G Exi n Ex,, then 3y,t G Ei such that x = Xi.y = X^.t. 

y = X^\X3.t = X^KXs.t + t, 
y-t = X^^.X3.teEi, 

axid 

X = Xs.t = X2.{y -t) e Ex, 

2. 

Assume that Ai ^ A2, and let us show G Ei, A3.(Aj~"^ + A^"^).t G Ei. 
Let a; = As.t G Ex,: 

• If X G Exi then x G Ex, therefore 3si, S2 G Ei such that x = Ai.si = A2.S2 and we get A3.(Aj^^ + 
X2^).t = S1+S2 € El. 

• If x ^ Exi then x ^ Ex, therefore we get X^^ .x ^ Ei and X2^.x ^ Ei. We have A3.(Aj^^ + A2"^).t = 
X^^.x + X2^-x G El (because Vu ^ i?i and Vw ^ E'l then u + u G Ei). 
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We showed that E-^^ = Ei and with the lemmanwe get A3 ^ = Aj^ ^ + A2 ^ 



□ 



Proposition 4 Finally for Ai, A2, A3, A4 G GF{2^) — {0}, we get: 

( 7 //Ai=A2 = A3 = A4^ 

5 1} rankcF{2){K , A2 , A3 , A4 | = 3 
[ 4 Otherwise 

Definition 4 W^e considered four equations in a different way, but the committed fault is common to these four 
equations, that is why we introduce the set of possible committed faults S : 

Moreover the cardinal of S is smaller than the cardinal of Sc,e ■ It allows to reduce the space of the faults, and 
so to use fewer faultly calculations to go back up to the key. 

Corollary 1 If two of the four following values 2^^.eQ, e'^, £2, 3~^.e3 are not equal, we have 

Card (52,4 n ^i.-i n ^1.4 n ^3,s;,) < 63. 

Proposition 5 For a differential fault e' , let e G Sr\Sc,e' be a fault value and define 6 = {{a^^ *e').c.e)^^ G El 
and a, (3 the two solutions (in GF(2^)) of the equation t^ + t = 9. The possible values of key KN^[i] (for some 
i, it is the index of element in the state) are 

• If 6 ^1, then there are two possible values of KN^[i] 

KnA^] = s(c.e.a) + FN^^i] or KnA^] = s{c.£.(3) + FN,,A[i] 

• If 9 ~ 1, then there are four possible values of K]\j^[i] 

KnA^] = s{c.e.a) + -Ftv,,,^^ or KnA^\ = s{c.e.p) + FN,.,A[i\ 
or KnM = b + FN^^A\i] or KN^,\i] = s(c.e) + ^V^.aW 

Proof: 



• If 6* 7^ 1. we know that 6* G then there are two solutions a, f3 oi t'^ + t = 0. We deduce two solutions 
from noted {xi, X2}, by xi = c.e.a and X2 ~ c.£.j3. 

• If 6* = 1, we know that 1 G then there are two solutions a, (3 oi t^ + t = 1. We deduce two solutions 
from noted {xi,X2\, by xi = c.e.a and X2 = c.e.fi. Moreover there are also two trivial solutions of 
Q : a;3 = and x^ = c.e. 

Once we get a solution x of . it is easy to get a possible value of A'jv^ [i] . □ 
By applying this proposition to the four faulty elements of the state, we can deduce four sets of possible 
values for iirjv^[0], i^Ar^[7], ii'Ar^[10] and i^Ar^ [13]. Then by repeating the insertion of faults in a calculation, and 
by intersecting these four sets we get rather quickly a single value for KmA^]i I^Nr\^]^ -^^'^^[10] and i^jv^[13]. 

3.6 Example 

Remember our example: 

s(xo©2.e) = s(xo)©'E7' 

s{xi®e) = s(xi)©'51' 

s(x2©e) = 5(2:2)® '47' 

s{xz®i.e) = 3(2:3) ©'99' 

Let El = {'0r..'lF','40'..'5F','A0'..'BF','E0'..'FF'} and Sc.e' = {{c-{a-^ * e')-e)"\ e G El). 
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We compute 

<5'2,'E7' 'S'i/51' S'l,'47' '5'3,'99' 

= {'01', '04', '13', 'IE', '21', '27', '33', '3B', '48', '4D', '50', '53', '55', '5D', '64', '65', 
'7E', '7F', '80', '83', '8D', '8F', '93', 'A7', 'A8', 'A9', 'AB', 'B3', 'B8', 'C9', 'F6'} 

Wc got (the real value of A"io[0] is 'DO') 

Kio[0] e {'03', '06', '09', 'OC, '10', '15', 'lA', 'IF', '21', '24', '2B', '2E', '32', '37', '38', '3D', '43', '46', '49', 
'4C', '50', '55', '5F', '61', '64', '6B', '6E', '72', '77', '78', '7D', '83', '86', '89', '8C', '90', '95', '9A', '9F', 'Al', 
'A4', 'AB', 'AE', 'B2', 'B7', 'B8', 'C3', 'C6', 'C9', 'CC, 'DO', 'D5', 'DA', 'DF', 'El', 'E4', 'EB', 'EE', 'F2', 

'F7', 'F8', 'FD'} 

With the five faults {'IE', 'El', 'B3', '16', '9E'}, wc obtain a correct and single value of Xio[0], A'io[7], A'io[10], 

4 Generalisation 

4.1 Without fault location 

In this section, we assume that the fault is on a byte, between the last two MixColumn. It's the same case than 
previously except that the fault can be confined on the byte 1 to 16. The fault is propagated by the MixColumn 
and spread on 4 bytes of the state. On the first line of the differential state matrix, we have a induced fault. We 
can determine from which column the injected fault belongs by considering the column of induced fault. Next 
we analyse the four possibilities of line position for the injected fault with the method presented in previous 
section. 

4.2 Hardware Device 

Suppose that you can physically modify an hardware AES device. First, compute ciphers for more than ten 
random plaintexts with AES device. Next, modify by example the design by cutting lines and connecting them 
to the earth (or Vcc) temporaly between two bytes during the round located two rounds before the end. It 
amounts to having a byte of round Nk — 2, always replaced by '00' (or 'FF'). Compute an other time the same 
messages with the tampered device. With random plaintexts, the faulty byte is like an random fault. This fault 
is passed on four faults at round Nk — 1 and sixteen faults at round Nk- It is this differential matrix we can 
analyse error by error to find the last round key. 

A Back to initial key with the last subkey 

See PP for additional informations about w and Rot Word, Rcon and Sub Word functions. 
Let us denote by Kn[j] the j*^ byte of the n*^ roundkey and as in pp. We have 

A'„ = {w[Nkn],w[Nkn + 1], • • • , w[Nkn + Nk ~ 1]). 

We have the following relations (for Nk = 4, 6): 
for Nk < Nb* (Nr + l),i^O mod Nk, 

w\i] = w[i - Nk] & w[i - I] 
i.e. w[i — Nk] = wli] © w[i — 1] 

and for i = mod Nk, 

w[i] = w[i - iVfe] ® SubWord(RotWord('i«[i - 1])) ©Rcon[i/A^/c] 
i.e. w[i - Nk] = w[{] © SubWord(RotWord(w[i - 1])) © Rcon[VA^fe] 

Hence, we have 
for ^ i < 7V6 * {Nr + 1) - Nk, i / mod Nk, 

w\i] = w[i + Nk] ® w[i + Nk - I] (3) 



9 



and for i = mod iVfe, 

w[i] ^ w[i + Nk]®SuhWoTd{RotWoTd{w[i + Nk-l]))(BRcon[{i + Nk)/Nk] (4) 

With AES-256, you must add an Subword operation when i = 4 mod Nk- So we can deduce previous key from 
the ending subkey and step by step obtain Kq with is the cipherkey. 



RecoverKeyCbyte Finalkey [4*Nk] , word w[Nb*(Nr+l)] , Nk) 
begin 

word temp 
i = Nb * (Nr+1)-1 
j = Nk - 1 
while (j >= 0) 

w[i] = word(Finalkey [4*j] , Finalkey [4*j+l] , 

Finalkey [4*j+2] , Finalkey [4* j +3] ) 

i = i-1 

j = j-1 
end while 

{here, "i" must be equal to Nb * (Nr+1) - Nk - 1} 
while (i >= 0) 

temp = w[i+Nk-l] 
if (i mod Nk = 0) 

temp = SubWord(RotWord(temp) ) xor Rcon[i/Nk+l] 
else if (Nk > 6 and i mod Nk = 4) 

temp = SubWord(temp) 
end if 

w[i] = w[i+Nk] xor temp 
i = i - 1 
end while 

end 



Figure 1: Pscudo Code for Key Recovery. 

Remark 1 On AES-128, it is sufficient to know Kiq to find the cipher key, but on AES-256, you must know 
Ki3 and K14. 
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